Abstract (p.1) A peer-to-peer network, enabling different parties to jointly store and run computations on data while keeping the data completely private. Enigma’s computational model is based on a highly optimized version of secure multi-party computation, guaranteed by a verifiable secret-sharing scheme. For storage, we use a modified distributed hashtable for holding secret-shared data. An external blockchain is utilized as the controller of the network, manages access control, identities and serves as a tamper-proof log of events. Security deposits and fees incentivize operation, correctness and fairness of the system. Similar to Bitcoin, Enigma removes the need for a trusted third party, enabling autonomous control of personal data. For the first time, users are able to share their data with cryptographic guarantees regarding their privacy. 計算モデル: セキュアマルチパーティ計算ストレージ: 分散ハッシュテーブル外部ブロックチェーン : アクセスコントロール、改ざんできないログ ・ビットコインと同様に非中央集権的・暗号学的にプライバシーを確保したデータ共有を実現する

Motivation (p.1) ・中央集権でよかった時代の話 ・中央集権には弊害がでてきたという話 ・Bitcoin/Blockchainが非中央集権というコンセプトとともにでてきた話 The intense verification and public nature of the blockchain limits potential use cases, however. Modern applications use huge amounts of data, and run extensive analysis on that data. This restriction means that only fiduciary code can run on the blockchain [7]. The problem is, much of the most sensitive parts of modern applications require heavy processing on private data. In their current design, blockchains cannot handle privacy at all. Furthermore, they are not well-suited for heavy computations. Their public nature means private data would flow through every full node on the blockchain, fully exposed. でも、ブロックチェーンはプライバシーを扱うのは苦手。また、大規模計算にも向かない。プライベートデータが全てのノードに流れてしまう。

There is a strange contradiction in this setup. The most sensitive, private data can only be stored and processed in the centralized, less transparent and insecure model. We have seen this paradigm lead to catastrophic data leaks and the systematic lack of privacy we are currently forced to accept in our online lives. 大事なデータは中央集権的に扱われているよね、と。透明性とセキュリティに問題があることを目撃してきたよね。

Enigma (p.2) Enigma is a decentralized computation platform with guaranteed privacy. Our goal is to enable developers to build ’privacy by design’, end-to-end decentralized applications, without a trusted third party. Enigma is private. Using secure multi-party computation (sMPC or MPC), data queries are computed in a distributed way, without a trusted third party. Enigma is scalable. Unlike blockchains, computations and data storage are not replicated by every node in the network. Only a small subset perform each computation over different parts of the data. The key new utility Enigma brings to the table is the ability to run computations on data, without having access to the raw data itself. Enigmaは秘匿分散コンピューティングプラットフォーム・セキュアマルチパーティ計算 (sMPC)・ブロックチェーンと違い、計算とデータストレージはバラバラに分割されノードに配置される

3 Design overview (p.2) Enigma is designed to connect to an existing blockchain and off-load private and intensive computations to an off-chain network. All transactions are facilitated by the blockchain, which enforces access-control based on digital signatures and programmable permissions. Code is executed both on the blockchain (public parts) and on Enigma (private or computationally intensive parts). Enigma’s execution ensures both privacy and correctness, whereas a blockchain alone can only ensure the latter. Proofs of correct execution are stored on the blockchain and can be audited. We supply a scripting language for designing end-to-end decentralized applications using private contracts, which are a more powerful variation of smart contracts that can handle private information (i.e., their state is not strictly public). ・Enigmaは既存のブロックチェーンとプライベートネットワークとで構成される・Enigmaではプライバシーと正しさが保証される（ブロックチェーンは後者だけ）・private contractを提供する(stateはpublicでない)

The scripting language is also turing-complete, but this is not as important as its scalability. Code execution in blockchains is decentralized but not distributed, so every node redundantly executes the same code and maintains the same public state. In Enigma, the computational work is efficiently distributed across the network. An interpreter breaks down the execution of a private contract, as is illustrated in Figure 1, resulting in improved run-time, while maintaining both privacy and verifiability. ・Enigmaでは計算は分散処理される (同じ処理が並列で走るわけではない )

The off-chain network solves the following issues that blockchain technology alone cannot handle: 1. Storage. Blockchains are not general-purpose databases. Enigma has a decentralized offchain distributed hash-table (or DHT) that is accessible through the blockchain, which stores references to the data but not the data themselves. Private data should be encrypted on the client-side before storage and access-control protocols are programmed into the blockchain. Enigma provides simple APIs for these tasks in the scripting language. ・Enigmaでは分散型のオフチェインハッシュテーブル（ DHT）としてストレージを持つ・ブロックチェーンには DHT上のデータへのハッシュだけが格納される・データはクライアント側で暗号化し格納される・アクセスコントロール関係はブロックチェーン上で処理

2. Privacy-enforcing computation. Enigma’s network can execute code without leaking the raw data to any of the nodes, while ensuring correct execution. This is key in replacing current centralized solutions and trusted overlay networks that process sensitive business logic in a way that negates the benefits of a blockchain. The computational model is described in detail in section 5. 3. Heavy processing. Even when privacy is not a concern, the blockchain cannot scale to clearing many complex transactions. The same off-chain computational network is used to run heavy publicly verifiable computations that are broadcast through the blockchain. ・計算内容がノードに漏れることはない・オフチェーン処理するからスケールするよ

4 Off-chain storage (p.3) Off-chain nodes construct a distributed database. Each node has a distinct view of shares and encrypted data so that the computation process is guaranteed to be privacy-preserving and fault tolerant. It is also possible to store large public data (e.g., files) unencrypted and link them to the blockchain. Figure 2 illustrates the database view of a single node. On a network level, the distributed storage is based on a modified Kademlia DHT protocol [11] with added persistence and secure point-to-point channels, simulated using a broadcast channel and public-key encryption. This protocol assists in distributing the shares in an efficient manner. When storing shares, the original Kademlia distance metric is modified to take into account the preferential probability of a node. ・ノードにはshares, encrypted data, public dataが保存される・改良版Kademlia DHT protocolを利用している

5 Privacy-enforcing computation (p.4) In this section, we describe Enigma’s computational model. We begin with a brief introduction to publicly verifiable secure MPC based on state-of-the-art advances in cryptography. Then, we describe a series of performance improvements to secure MPC that makes the technology practical even when the network is large: hierarchical secure MPC, network reduction and adaptable circuits. To use Enigma, developers write high-level code, where public parts are executed on the blockchain and private parts are run off-chain, on Enigma’s platform. We call these private contracts, since they are smart contracts that can handle private information. ・検証可能なセキュア MPCについて話すよ・改善について話すよ : 階層的セキュア MPC, ネットワーク削減 , 適応可能な回路・publicな部分はブロックチェーンで、 privateな部分はオフチェインで実行される

5.1.1 Privacy (passive adversaries) (p.4) Yao introduced the first solution to secure two-party computation protocols in 1982 [12]. In the same paper, Yao suggested the popular millionaire problem, describing two millionaires interested in knowing which one of them is richer, without revealing their actual net worth. In the decades since, the two-party problem has been generalized to MPC, which refers to the n-party case. For generalpurpose MPC, in which every protocol could be composed from a circuit of elementary MPC gates, two major approaches have been developed over the years: Yao’s garbaled (boolean) circuits [13] and MPC based on secret sharing. The latter has been more commonly used in production systems (e.g., [14] and [15]) and is our focus as well. ・Yaoが1982年に、セキュアな二者間計算法を初めて導入した・ミリオネア問題 : ふたりの億万長者が総資産額を明らかにせずに、どちらの方が金持ちかを知れるか、という問題・n者間MPCに拡張された・汎用MPCは基礎MPCゲートを組み合わせて構築できる。大きく２つの方法がある。・Yaoのガルバール(ブール)回路と秘密分散に基づく MPC。Enigmaは後者を利用。

A threshold cryptosystem is defined by (t + 1, n) − threshold, where n is the number of parties and t + 1 is the minimal number of parties required to decrypt a secret encrypted with threshold encryption. Secret sharing is an example of a threshold cryptosystem, where a secret s is divided among n, s.t. at least t+1 are required to reconstruct s. Any subset of t parties cannot learn anything about the secret. A linear secret-sharing scheme (or LSSS) partitions a secret to shares such that the shares are a linear combination of the secret. Shamir’s secret sharing (or SSS) is an example of a LSSS, which uses polynomial interpolation and is secure under a finite field Fp [16]. ・threshold cryptosystem: (t + 1, n) - threshold: n個のうちt + 1個のパーツが集まれば復号できる・秘密分散(secret sharing)はthreshold cryptosystemの一例・秘密情報sはn分割されており、 sを復元するには少なくとも t + 1個のパーツが必要・t個のパーツだけでは秘密情報に関することは一切わからない・SSSはLSSSの一例・ShamirはRSAのS・多項式補完(plynomial interpolation): データ群を通る多項式を見つけること・有限体(finite field)

Multiplication of two secrets s1 and s2 is somewhat more involved. If each party would attempt to locally compute the product of two secrets, they would collectively obtain a polynomial of degree 2t, requiring a polynomial reduction step (2t → t). For an information theoretic setting, this result adds an honest majority constraint (i.e., t < n/2 ) on privacy and correctness. If we bound the adversary’s computational power, both properties are assured for any number of corrupted parties, but fairness and deciding on an output still requires an honest majority [17]. As to performance, a re-sharing step is required in the degree reduction step, implying all parties must interact with all other parties (O(n^2 ) communications). This makes MPC impractical for anything larger than a small constant number of parties n. While optimized solutions exist for improving the amortized complexity, they are based on assumptions that restrict functionality in practice. Conversely, we describe a generic solution to this problem for any functionality in Section 5.2, which makes secure MPC feasible for arbitrarily large networks. 積は大変。計算量 O(n^2)なので、n者間MPCにおいてnは大きくできない。 5.2章で効率を考える。

5.1.2 Correctness (malicious adversaries) (p.5) ・計算結果が正しいことを保証するのは難しいよ 計算エラーとか悪意ある参加者がいる場合とか。。。 2014年 Very recently, Baum et al. developed a publicly auditable secure MPC system that ensures correctness, even when all computing nodes are covertly malicious, or all but a single node are actively malicious [18]. Their state-of-the-art results are based on a variation of SPDZ (pronounced speedz) [19] and depend on a public append-only bulletin board, which stores the trail of each computation. This allows any auditing party to check the output is correct by comparing it to the public ledger’s trail of proofs. Our system uses the blockchain as the bulletin board, thus our overall security is reduced to that of the hosting blockchain. ・公に監査可能な MPCシステム方法を Baumらが考えた。SPDZを元にしている。・maliciousとは？改ざん、計算エラー的な意味？計算主体は信用できなくていいの？・Enigmaの人たちはこの方法をブロックチェーン上に載せた

5.2 Hierarchical secure MPC (p.6) Cohen et al [20] recently proposed a method of simulating an n-party secure protocol using a log depth formula of constant-size MPC gates, as illustrated in Figure 3. We extend their result to LSSS and are able to reduce the communication-complexity of multiplication from quadratic to linear, at the cost of increased computation complexity, which is parallelized. Figure 4 illustrates how vanilla MPC is limited by the number of parties, while our implementation scales up to arbitrarily large networks. ・n-party sMPCは例えば3-party sMPCを沢山つかってシミュレートできるよ・図ではn=9を3-party sMPCを使って２段で構成している ・積の計算コストを２次から１次に減らせるよ（並列計算！） ・並列可能な規模をごまかしている気がする・・・・図４ではそもそも quadraticな限界を示していない

5.3 Network reduction (p.7) To maximize the computational power of the network, we introduce a network reduction technique, where a random subset of the entire network is selected to perform a computation. The random process preferentially selects nodes based on load-balancing requirements and accumulated reputation, as is measured by their publicly validated actions. This ensures that the network is fully utilized at any given point. ・ネットワーク全体からランダムに選んだサブセットが計算を実行するよ・ランダムとはいいつつ経験値（評判）に基づいて選択する・経験値自体の信用担保は？（言及されてないが、ブロックチェーン的な意味で担保？）

5.4 Adaptable circuits (p.7) Code evaluated in our system is guaranteed not to leak any information unless a dishonest majority colludes (t ≥ n/2). This is true for the inputs, as well as any interim variables computed while the code is evaluated. An observant reader would notice that as a function is evaluated from inputs to outputs, the interim results generally become less descriptive and more aggregative. For simple functions or functions involving very few inputs, this may not hold true, but since these functions are fast to compute - no additional steps are needed. However, for computationally expensive functions, involving many lines of code and a large number of inputs, we can dynamically reduce the number computing nodes as we progress, instead of having a fixed n for the entire function evaluation process. Specifically, we design a feed-forward network (Figure 5) that propagates results from inputs to outputs. The original code is reorganized so that we process addition gates on the inputs first, followed by processing multiplication gates. The interim results are then secret-shared with N/c nodes, and the process is repeated recursively. ・半数以上が結託しないかぎりシステムが情報を漏らすことはない（ malliciousとはdishonestのこと？？）・コンパイル時最適化で並列処理させるよ、と・アルゴリズムについては何もいってない・・・

5.5 Scripting (p.7) As previously mentioned, end-to-end decentralized apps are developed using private contracts, which are further partitioned to on-chain and off-chain execution. Off-chain code returns results privately, while sending correctness proofs to the blockchain. For simplicity, the scripting language is similar in syntax to well-known programming languages. There are two major additions to the scripting language that require more detail. 5.6 Private data types (5.5 Scriptingに付随する説明 ) ・privateキーワードでセキュアでプライベートな変数となることを保証する ・オフチェインコードは結果を秘密にしたまま返す

7 Incentives (p.12) Since Enigma is not a cryptocurrency or a blockchain, the incentive scheme is based on fees rather than mining rewards, where nodes are compensated for providing computational resources. Full nodes are required to provide a security deposit, making malicious behaviour punishable. 7.1 Security Deposits 7.2 Computation Fees 7.3 Storage Fees ・インセンティブスキームは手数料ベースで設計されている（マイニング報酬ではない）・ノードは計算を始めるにあたりデポジットを private contractに預ける・悪いことをするとデポジットが回収され、他のまともなノードに分配される・Computation FeesはEthereumのGas的な固定料金制・Storage Feesはマーケットベースで時間制限あり。お金足りないといつか消される。

8 Applications (p.12) ・いろいろ応用できるよ 8.1 Data Marketplace Direct consumer to business marketplace for data. With guaranteed privacy, autonomous control and increased security, consumers will sell access to their data. For example, a pharmaceutical company looking for patients for clinical trials can scan genomic databases for candidates. The marketplace would eliminate tremendous amounts of friction, lower costs for customer acquisition and offer a new income stream for consumers. ・直接消費者がデータへのアクセス権を売れる。・例えば、臨床試験のための患者を探している製薬会社は、候補者ゲノムデータベースから検索できる・顧客獲得コストを削減できる・消費者に新たな収入源ができる